Cybersecurity Briefing — January 6, 2020

CISA Alert AA20-006A warned of potential Iranian cyber responses to U.S. actions, prompting organizations to heighten monitoring, patch externally facing services, and review incident response plans.

Zeph Tech Research Lead

Research lead, Zeph Tech

1 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: CISA’s AA20-006A alert (6 January 2020) warned of potential Iranian cyber response scenarios—wipers, destructive ICS/OT actions, spearphishing, and DNS hijacking—following geopolitical tensions. This briefing operationalizes the alert with response lanes, detection content, governance cadence, and linked internal guidance.

Why it matters: The alert summarized historical Iranian tactics (password spray, credential theft, destructive malware such as Shamoon/ZeroCleare) and urged immediate validation of incident-response, logging, and segmentation. Organizations with exposed remote access, OT assets, or unmanaged DNS must execute targeted hardening.

Internal navigation: Connect to the Cybersecurity pillar hub, the incident-response guide, and related briefs on CISA Emergency Directive 20-01 and EO 14028 federal cybersecurity for aligned playbooks and control evidence.

Threat scenarios and controls

Scenario	Controls	Detection
Destructive wiper (IT)	Immutable backups; MFA on admin; deny-by-default on RDP/SSH; application allowlists.	EDR wiper heuristics; DNS for beacon domains; file integrity on critical shares.
ICS/OT disruption	Network segmentation (OT/IT); jump hosts with MFA; disable unused services; vendor remote access approval.	NetFlow on OT DMZ; anomaly detection for protocol misuse (Modbus/DNP3); log vendor access.
DNS hijack/record tampering	Registrar lock; DNSSEC; role-based change control; monitored API keys.	Continuous DNS diffing; alert on NS/A/MX changes; SPF/DMARC misalignment alarms.
Password spray / OWA brute force	MFA on email and VPN; lockout/Smart Lockout; geolocation and impossible-travel policies.	SIEM rules for 401 spikes per IP/ASN; AzureAD/IdP risk events; OWA logs.
Spearphishing with macros	Disable macros by default; attachment sandboxing; user education.	Mail flow rules for suspicious attachments; sandbox detonation alerts.

72-hour action plan

Day 0–1: Freeze non-essential changes; confirm MFA on externally exposed apps; lock registrars; review VPN, OWA, Citrix, and SSH exposure; enable verbose logging (DNS, VPN, IdP, EDR); capture golden images of domain controllers and OT jump servers.
Day 1–2: Run password-spray hunting queries; patch edge devices; rotate privileged credentials; validate offline/immutable backups; test restore of critical systems; disable legacy protocols (NTLMv1, SMBv1, older TLS).
Day 2–3: Conduct tabletop for destructive malware and DNS hijack; validate playbooks and comms trees; issue employee phishing warning with specific IOCs and reporting instructions; validate escalation pathways to law enforcement and sector ISACs.

Incident-routing diagram

        Alert → Triage (SOC) → Classify (Spray / Wiper / DNS) →
          - Spray: IdP risk rules → force reset & MFA check → report to CTI
          - Wiper: isolate host → backup restore → exec briefing → law enforcement as needed
          - DNS: lock registrar → revert records → notify customers → enable DNSSEC

Route alerts to predefined playbooks to cut mean time to contain.

Detection content (starter queries)

Password spray: Count failed logins per IP/ASN > threshold across IdP/VPN/OWA within 15 minutes.
DNS tamper: Compare authoritative records hourly against baseline; alert on NS/A/MX/TXT changes outside change window.
Wiper precursors: EDR for mass file handles with overwrite patterns; PowerShell invoking cipher /w or wevtutil cl.
OT anomalies: Modbus function codes outside allowlist; DNP3 unsolicited responses; unexpected SMB traffic in OT zones.

Metrics and governance

MTTD/MTTR: Detect spray attempts in <5 minutes; contain destructive activity in <30 minutes from first alert.
Coverage: 100% MFA on external apps; 100% registrar locks; ≥95% OT remote sessions through jump hosts; ≥90% backups tested quarterly.
Hunting cadence: Daily spray hunts; weekly DNS diffs; monthly restore drills with evidence.
Evidence: SIEM queries, backup restore logs, MFA enforcement reports, registrar change logs, tabletop minutes.

Communication templates

Leadership brief: Situational summary, current exposure, top three mitigations, and escalation contacts.
Employees: Phishing indicators, reporting channel, MFA reminder, travel/offsite access guidance.
Vendors: Require MFA, change control, and 24/7 contact path; confirm no hardcoded accounts; validate remote access approvals for OT.
Regulators/partners: Pre-drafted notice format with incident classification and timeline.

Architecture view

        Internet → WAF/VPN → IdP MFA → SWG/Proxy → Apps
                    |                |
                 Registrar locks   DNSSEC
                    |                |
                OT DMZ → Jump host → OT network (segmented)

Segmentation and registrar protections reduce the blast radius of Iranian-attributed TTPs.

Retention and follow-through

Store tabletop notes, SIEM queries, restore evidence, registrar confirmations, MFA enforcement screenshots, and communications. Schedule quarterly destructive-malware drills, DNS-change monitoring reviews, and annual OT remote-access audits to demonstrate sustained vigilance.

Logging prerequisites

Identity: Unified audit for IdP, VPN, OWA, and privileged access tools with 30–90 day retention.
DNS: Centralized logging from authoritative and resolver layers; enable query/response logging.
EDR: Ensure tamper protection and kernel sensors deployed on domain controllers and jump hosts.
OT: Flow and packet logging in DMZ; asset inventory with firmware versions.

Tabletop injects (sample)

Inject	Expected action	Owner
Mass 401s on OWA from single ASN	Enable conditional access block; force reset; open case with ISP	Security/IdP
DNS A record redirected	Lock registrar; revert record; send customer advisory; enable DNSSEC	Network/Comms
EDR detects wiper behavior	Isolate host; cut SMB; initiate backup restore; notify leadership	SOC/IT Ops
OT vendor requests emergency remote access	Validate change ticket; approve jump-host session; monitor and record	OT lead

Governance cadence

Hold weekly threat posture reviews during heightened alert, then return to monthly cadence. Track action items, SLA performance for MFA/backup testing, and remediation of findings from each hunt or tabletop.

Supply-chain and remote access safeguards

Reverify vendor access lists; disable dormant accounts; require MFA and time-bound approvals for all third-party sessions.
Enforce signed updates for OT and IT software; validate hashes before installation; monitor for unauthorized tooling.
Confirm out-of-band management interfaces are restricted (no public IPs) and monitored.

Runbook timeline (hours)

Time	Action	Owner
0–1	IOC intake; alert triage; classify scenario	SOC
1–2	Containment (isolate host, lock registrar, block IPs)	Security/Network
2–4	Backup validation or DNS record restoration	IT Ops
4–8	Communication to leadership, customers, regulators (if required)	Comms/Legal
8–24	Forensics and root-cause; eradication and monitoring	Security/IR

Post-incident assurance

After containment, capture lessons learned, update detection content, rotate credentials involved, and schedule follow-up hunts for 30 days. Verify integrity of logging pipelines to ensure IOCs were captured.

Leadership FAQ

What is different now? Heightened likelihood of Iranian-attributed activity targeting remote access and DNS; destructive malware possible.
How exposed are we? Summarize internet-facing assets, MFA coverage, registrar protections, and OT segmentation status.
What are we doing? MFA enforcement, registrar locks, backup validation, hunts, tabletop, and vendor access tightening.
What support is needed? Emergency change approvals, communication amplification, and accelerated procurement for missing controls.

Training snippets

Send a concise awareness note with screenshots of suspicious login prompts, DNS warning signs (certificate/name mismatches), and instructions to report unusual file deletion or device behavior immediately to the SOC.

Third-party coordination

Share vetted IOCs and required controls with critical suppliers and managed service providers; request confirmation of registrar locks, MFA coverage, and backup validation. Include escalation paths for coordinated response if shared infrastructure is targeted.

Align with sector ISAC sharing protocols to submit anonymized indicators and receive peer updates during the heightened threat period.

Ensure crisis management teams have up-to-date contact rosters with backups for weekends and holidays; confirm executive spokespersons are prepared with approved messaging if service disruption occurs.

Have legal counsel pre-review notification templates to expedite outreach if customer-impacting disruption occurs, aligning with contractual commitments and regulatory timelines.

Timeline plotting source publication cadence sized by credibility. — 1 publication timestamps supporting this briefing. Source data (JSON)

Horizontal bar chart of credibility scores per cited source. — Credibility scores for every source cited in this briefing. Source data (JSON)

Visit pillar hub

Latest guides

Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.